Professional Documents
Culture Documents
01-12 PBR Configuration
01-12 PBR Configuration
Ethernet Switches
Configuration Guide - IP Unicast Routing 12 PBR Configuration
12 PBR Configuration
NOTE
Purpose
Traditionally, to determine the routes used to forward packets, a switch searches
its IP routing table based on the destination address carried in the packets. To
allow switches to route packets based on user-defined policies, PRB can be
configured.
Benefits
PBR has the following advantages:
● Allows network administrators to define policies for routing packets,
improving route selection flexibility.
● Enables different data flows to be forwarded on different links, increasing link
efficiency.
● Allows cost-effective links to be used for transmitting service data without
affecting service quality, reducing the cost of enterprise data services.
Licensing Requirements
PBR is a basic feature of a switch and is not under license control.
NOTE
For details about software mappings, visit Info-Finder and search for the desired product
model.
Feature Limitations
On the S2720-EI, S5720I-SI, S5720-LI, S2730S-S, S5735-L1,S300, S5735-L, S5735S-
L, S5735S-L1, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S500, S5735-
S-I, and S5735S-S, PBR takes effect only for the packets forwarded at Layer 3 but
not for the packets forwarded at Layer 2. On other switch models, PBR takes effect
for the packets forwarded at both Layer 2 and Layer 3.
Pre-configuration Tasks
Before configuring PBR, complete the following tasks:
Procedure
1. Configure a traffic classifier.
For details about configuring a traffic classifier, see Configuring a Traffic
Classifier in "MQC Configuration" in the S300, S500, S2700, S5700, and S6700
V200R020C10 Configuration Guide - QoS.
2. Configure a traffic behavior.
a. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed;
alternatively, the view of an existing traffic behavior is displayed.
b. Run the following commands as required.
The system then applies the policy to the incoming packets that are
sent from the VLAN and match traffic classification rules.
– Apply a traffic policy globally.
i. Run system-view
The system view is displayed.
ii. Run traffic-policy policy-name global inbound [ slot slot-id ]
A traffic policy is applied globally.
Background
PBR allows switches to select paths and forward packets based on defined policies.
However, PBR lacks a fault detection mechanism. In a scenario where the link for
the redirection next hop becomes faulty, PBR becomes ineffective only after the
ARP entry of the redirection next hop is aged. As a result, services cannot be
immediately switched to another link, causing service interruptions.
Network quality analysis (NQA) for PBR solves this issue by providing a fault
detection mechanism for PBR. In the same scenario, the next hop will become
ineffective immediately without waiting for the aging of its ARP entry. This is
because the NQA test identifies the fault. NQA for PBR helps shorten the service
interruption time and improve QoS.
Pre-configuration Tasks
Before configuring NQA for PBR, complete the following tasks:
● Configure IP addresses and routing protocols for interfaces to ensure
connectivity.
● Configure an ACL if the ACL needs to be used to classify traffic.
Procedure
1. Configure an ICMP NQA test instance.
a. Run system-view
The system view is displayed.
b. Run nqa test-instance admin-name test-name
An NQA test instance is created, and the test instance view is displayed.
c. Run test-type icmp
The test type is set to ICMP.
NOTE
When NQA is associated with PBR, only an ICMP NQA test instance can be used
to check whether a route from the source to the destination is reachable.
d. Run destination-address ipv4 ip-address
The destination address is set for the NQA test instance.
e. (Optional) Run frequency interval
The interval at which the NQA test instance automatically runs is set.
By default, no automatic test interval is set. The system performs the test
only once.
f. (Optional) Run probe-count number
The number of probes to be sent each time is set for the NQA test
instance.
By default, the number of probes to be sent each time is 3.
By sending multiple probes for an NQA test instance, the network quality
can be estimated more accurately based on the collected statistics.
g. (Optional) Run interval { milliseconds interval | seconds interval }
The interval at which probe packets are sent is set for the NQA test
instance.
For the default interval at which probe packets are sent, see the
command reference manual.
h. (Optional) Run timeout time
The timeout period of a probe is set for the NQA test instance.
By default, the timeout period of a probe for FTP test instances is 15s and
that for other test instances is 3s.
i. Set the NQA test instance startup mode as required to start the NQA test
instance.
In a given traffic behavior, a next-hop IP address can be bound to only one NQA
test instance.
On the switch, a maximum of eight NQA test instances can be bound.
d. (Optional) Run statistic enable
Networking Requirements
In Figure 12-1, the Switch on the aggregation layer is a Layer 3 forwarding device,
and an LSW on the access layer serves as the user gateway. There is a reachable
route between the Switch and LSW. The Switch is connected to two core routers
through two links: a high-speed link with the gateway 10.1.20.1/24 and a low-
speed link with the gateway 10.1.30.1/24.
The enterprise requires that the Switch forward packets from 192.168.100.0/24
and 192.168.101.0/24 to the core layer through the high-speed link and low-speed
link, respectively.
Configuration Roadmap
Implement PBR through redirection so that the Switch can provide differentiated
services. The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to connect the enterprise' devices to
external network devices.
2. Configure ACL rules to separately match packets with source IP addresses
192.168.100.0/24 and 192.168.101.0/24.
3. Configure traffic classifiers and bind them to ACL rules so that the Switch can
differentiate packets.
4. Configure traffic behaviors to redirect the packets matching different rules to
10.1.20.1/24 and 10.1.30.1/24 separately.
5. Configure a traffic policy, bind it to the traffic classifiers and traffic behaviors,
and apply it to the inbound direction of GE0/0/3 to implement PBR.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLANs 100 and 200 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
Configure GE0/0/1, GE0/0/2, and GE0/0/3 on the Switch as trunk interfaces, and
add them to VLANs 100 and 200.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet0/0/3] quit
# Create VLANIF 100 and VLANIF 200, and configure IP addresses for them.
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.20.2 24
[Switch-Vlanif100] quit
[Switch] interface vlanif 200
[Switch-Vlanif200] ip address 10.1.30.2 24
[Switch-Vlanif200] quit
Classifier: c1
Operator: OR
Rule(s) : if-match acl 3001
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 100 200
#
acl number 3001
rule 5 permit ip source 192.168.100.0 0.0.0.255
acl number 3002
rule 5 permit ip source 192.168.101.0 0.0.0.255
#
traffic classifier c1 operator or
if-match acl 3001
traffic classifier c2 operator or
if-match acl 3002
#
traffic behavior b1
redirect ip-nexthop 10.1.20.1
traffic behavior b2
redirect ip-nexthop 10.1.30.1
#
traffic policy p1 match-order config
classifier c1 behavior b1
classifier c2 behavior b2
#
interface Vlanif100
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.30.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
traffic-policy p1 inbound
#
return
Configuration Roadmap
Implement PBR through redirection so that the Switch can provide differentiated
services. The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to connect the enterprise' devices to
external network devices.
2. Configure ACL rules to separately match the packets with IP precedences of 4,
5, 6, and 7 and the packets with IP precedences of 0, 1, 2, and 3.
3. Configure traffic classifiers and bind them to ACL rules in the traffic classifiers
so that the Switch can differentiate packets.
4. Configure traffic behaviors to redirect the packets matching traffic
classification rules to 10.1.20.1/24 and 10.1.30.1/24 separately.
5. Configure a traffic policy, bind it to the traffic classifiers and traffic behaviors,
and apply it to the inbound direction of GE0/0/3 to implement PBR.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100 and VLAN 200 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 on the Switch as trunk interfaces and
add them to VLAN 100 and VLAN 200.
NOTE
Configure the interface connecting the LSW to the Switch as a trunk interface and add it to
VLAN 100 and VLAN 200.
# Create VLANIF 100 and VLANIF 200 and configure IP addresses for them.
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.20.2 24
[Switch-Vlanif100] quit
[Switch] interface vlanif 200
[Switch-Vlanif200] ip address 10.1.30.2 24
[Switch-Vlanif200] quit
# On the Switch, create a traffic policy p1, and bind it to the traffic classifiers and
traffic behaviors.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] quit
Classifier: c1
Operator: AND
Rule(s) : if-match acl 3001
Redirect ip-nexthop
10.1.30.1
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 100 200
#
acl number 3001
rule 5 permit ip precedence routine
rule 10 permit ip precedence priority
rule 15 permit ip precedence immediate
rule 20 permit ip precedence flash
acl number 3002
rule 5 permit ip precedence flash-override
rule 10 permit ip precedence critical
rule 15 permit ip precedence internet
rule 20 permit ip precedence network
#
traffic classifier c1 operator and
if-match acl 3001
traffic classifier c2 operator and
if-match acl 3002
#
traffic behavior b1
redirect ip-nexthop 10.1.20.1
traffic behavior b2
redirect ip-nexthop 10.1.30.1
#
traffic policy p1 match-order config
classifier c1 behavior b1
classifier c2 behavior b2
#
interface Vlanif100
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.30.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
traffic-policy p1 inbound
#
return
Networking Requirements
In Figure 12-3, enterprise users need to access the Internet through SwitchA (core
switch) and the router (access gateway).
To ensure the security of the enterprise's intranet, traffic entering the intranet
needs to be imported to the firewall in bypass mode.
Figure 12-3 Networking for configuring PBR to import traffic to the firewall in
bypass mode
Configuration Roadmap
The configuration roadmap is as follows:
This example provides only the switch configuration. For the firewall configuration, see the
firewall documentation.
Procedure
Step 1 Configure an IP address for each interface on SwitchA and the firewall, and
configure a routing protocol on SwitchA.
# Assign an IP address to each interface of SwitchA. By default, a switch interface
is a Layer 2 interface. Before configuring an IP address for a switch interface, run
the undo portswitch command to change the interface to a Layer 3 interface.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] undo portswitch
[SwitchA-GigabitEthernet0/0/1] ip address 10.1.1.2 24
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] undo portswitch
[SwitchA-GigabitEthernet0/0/2] ip address 10.1.20.1 24
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] undo portswitch
[SwitchA-GigabitEthernet0/0/3] ip address 10.1.10.6 24
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] undo portswitch
[SwitchA-GigabitEthernet0/0/4] ip address 10.1.11.6 24
[SwitchA-GigabitEthernet0/0/4] quit
Step 2 Configure PBR on SwitchA to redirect traffic to the firewall for security detection.
Traffic that is sent from the external network to the enterprise intranet will be
redirected.
# Configure a traffic classifier to match all traffic.
# Configure a traffic behavior to redirect matching traffic to the firewall (with the
next-hop address 10.1.10.5).
[SwitchA] traffic behavior b1
[SwitchA-behavior-b1] redirect ip-nexthop 10.1.10.5
[SwitchA-behavior-b1] quit
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
traffic classifier c1 operator and
if-match any
#
traffic behavior b1
redirect ip-nexthop 10.1.10.5
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface GigabitEthernet0/0/1
undo portswitch
ip address 10.1.1.2 255.255.255.0
traffic-policy p1 inbound
#
interface GigabitEthernet0/0/2
undo portswitch
ip address 10.1.20.1 255.255.255.0
#
interface GigabitEthernet0/0/3
undo portswitch
ip address 10.1.10.6 255.255.255.0
#
interface GigabitEthernet0/0/4
undo portswitch
ip address 10.1.11.6 255.255.255.0
#
ospf 100
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.10.0 0.0.0.255
#
ospf 200
area 0.0.0.0
network 10.1.11.0 0.0.0.255
network 10.1.20.0 0.0.0.255
#
return
● If the low-speed link becomes faulty, packets with the source IP address
192.168.101.0/24 must be rapidly switched back to the high-speed link to
minimize service interruption caused by the link fault.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to connect the enterprise' devices to
external network devices.
2. Configure an NQA test instance to detect low-speed link quality. This
configuration provides a fault detection mechanism for PBR.
3. Configure an ACL to match packets with the source address 192.168.101.0/24
that need to be directed to the low-speed link.
4. Configure a traffic classifier and bind it to the ACL so that SwitchA can
differentiate packets.
5. Configure a traffic behavior to redirect packets with the source IP address
192.168.101.0/24 to 10.1.30.1 and configure the NQA test instance for PBR.
6. Configure a traffic policy, bind it to the traffic classifier and traffic behavior,
and apply it to the inbound direction of GE0/0/3 on SwitchA to associate NQA
with PBR.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar and
are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar and
are not mentioned here.
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.20.2 24
[SwitchA-Vlanif100] quit
[SwitchA] interface vlanif 200
[SwitchA-Vlanif200] ip address 10.1.30.2 24
[SwitchA-Vlanif200] quit
# Create an advanced ACL 3001 on SwitchA to permit packets with the source IP
address 192.168.101.0/24.
[SwitchA] acl 3001
[SwitchA-acl-adv-3001] rule permit ip source 192.168.101.0 0.0.0.255
[SwitchA-acl-adv-3001] quit
# Create a traffic policy p1 on SwitchA, and bind it to the traffic classifier and
traffic behavior.
[SwitchA] traffic policy p1
[SwitchA-trafficpolicy-p1] classifier c1 behavior b1
[SwitchA-trafficpolicy-p1] quit
The preceding command output shows that PBR on SwitchA has been associated
with NQA. If a link becomes faulty, PBR on SwitchA becomes ineffective
immediately without waiting for the aging of ARP entries. Subsequently, traffic is
forwarded according to the IP routing table on SwitchA.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
acl number 3001
rule 5 permit ip source 192.168.101.0 0.0.0.255
#
traffic classifier c1 operator or
if-match acl 3001
#
traffic behavior b1
redirect ip-nexthop 10.1.30.1 track-nqa user test
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif100
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.30.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/3
traffic-policy p1 inbound
#
nqa test-instance user test
test-type icmp
destination-address ipv4 10.1.30.1
frequency 11
interval seconds 5
timeout 4
probe-count 2
start now
#
return
● SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.20.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 200
#
interface Vlanif200
ip address 10.1.30.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 200
#
return